In modern communication systems, including both mobile and fixed networks, which are typically IP based, client authentication is often realized via a client-related security association between the client and a specific network element. Accordingly, problems in terms of authentication and, thus, problems in terms of communication relying on a preceding authentication could arise in case of a failure of the specific network element resulting in the failure of the security association.
In the following, reference is mainly made to 3GPP mobile networks for illustrative and explanatory purposes so as to exemplify the aforementioned circumstances. It is to be noted that, while reference is mainly made to 3GPP mobile networks hereinafter, such reference is made by way of example only, and similar considerations equally apply to other types of mobile networks and/or fixed networks accordingly.
For example, in IMS- or other SIP-based networks, the SIP protocol is used for session handling. The SIP protocol defines the procedure of registration, which is the linking of the local transport address (e.g. IP address and port) of a client with the publicly known address-of-record (called “public identity” in IMS) of the client. In the IMS, the aspect of authentication is additionally connected with the registration procedure. For authentication, the IMS AKA authentication method is defined, which uses an IPSec connection between the client and a P-CSCF representing the specific network element in charge of authentication. On the IPSec connection, IPSec security associations (SA) are created at the time of registration and refreshed at the time of re-registration.
When a client is authenticated via the IMS AKA authentication method, the client can only send and receive SIP messages via the corresponding security associations (SA) via which it is authenticated at the network side. When the SA is not available anymore, e.g. due to failure of the specific network element in charge of authentication such as the P-CSCF, the client is not reachable by the network. According to previously proposed solutions, the client as such has to perform a new registration by itself, which new registration is to take place via an alternative network element in charge of authentication such as an alternative P-CSCF, before the alternative P-CSCF or the like can send and receive any message with respect to the client. The new registration by the client as such may be triggered by an unsuccessful attempt of a connection establishment or at least a re-registration by the client itself. That means that, within a re-/registration period (which may range from e.g. half an hour to several days), the client is not reachable by the network, which is an unacceptable amount of time.
Accordingly, it is desirable to avoid such unacceptably long service interruption in case of a failure of a network element in charge of authentication via a client-related security association.
That is to say, it is desirable to provide for an improved failover functionality for a client-related security association.